Review OpenBao onboarding readiness workplans

This commit is contained in:
2026-05-26 07:08:25 +02:00
parent 1edcfbb17d
commit 9eabf6cd4d
2 changed files with 229 additions and 5 deletions

View File

@@ -8,7 +8,7 @@ status: active
owner: codex owner: codex
topic_slug: netkingdom topic_slug: netkingdom
created: "2026-05-24" created: "2026-05-24"
updated: "2026-05-24" updated: "2026-05-26"
depends_on: depends_on:
- NK-WP-0006 - NK-WP-0006
- NK-WP-0012 - NK-WP-0012
@@ -111,7 +111,7 @@ blocked under T03.
```task ```task
id: NET-WP-0015-T03 id: NET-WP-0015-T03
status: blocked status: done
priority: high priority: high
state_hub_task_id: "56a6266a-4acd-41e6-a395-85e90a5c35c6" state_hub_task_id: "56a6266a-4acd-41e6-a395-85e90a5c35c6"
``` ```
@@ -353,11 +353,17 @@ metadata. It also detects encrypted bootstrap bundle presence and plaintext
`sso-mfa/bootstrap/secrets/` exposure. This is the intended foundation for `sso-mfa/bootstrap/secrets/` exposure. This is the intended foundation for
trial-mode, custody-mode, unlock/apply, and later OpenBao handover flows. trial-mode, custody-mode, unlock/apply, and later OpenBao handover flows.
**2026-05-26:** Closed this custody-approval task after review against the
live bootstrap metadata: `platform-root` is recorded as the king credential,
MFA and KeyCape OIDC login are verified, and `temporary-single-king` custody is
explicitly approved for the pre-production OpenBao bootstrap. Remaining
hardening and user-onboarding readiness work is tracked in `NET-WP-0017`.
### T04 - Complete Railiance OpenBao Bootstrap Ceremony ### T04 - Complete Railiance OpenBao Bootstrap Ceremony
```task ```task
id: NET-WP-0015-T04 id: NET-WP-0015-T04
status: blocked status: done
priority: high priority: high
state_hub_task_id: "2102366e-064b-4071-8b6a-574d9d37d109" state_hub_task_id: "2102366e-064b-4071-8b6a-574d9d37d109"
``` ```
@@ -367,11 +373,19 @@ the king credential model, enable audit and the first mounts/policies, create a
non-root `platform-admin` access path, and revoke or offline-escrow the initial non-root `platform-admin` access path, and revoke or offline-escrow the initial
root token. root token.
**2026-05-26:** Closed the bootstrap ceremony portion after live verification:
Railiance OpenBao is initialized, unsealed, and post-unseal verified; initial
configuration was applied; the initial OpenBao root token is recorded as
revoked; trial unseal shares were rotated; and restore-drill confirmation is
recorded in the bootstrap metadata. Declarative audit/durable audit shipping
and routine OIDC admin access remain follow-up readiness gates under
`NET-WP-0017` and `RAIL-PL-WP-0002`.
### T05 - Provision First NetKingdom Admin Identity ### T05 - Provision First NetKingdom Admin Identity
```task ```task
id: NET-WP-0015-T05 id: NET-WP-0015-T05
status: todo status: done
priority: high priority: high
state_hub_task_id: "d2a81d7b-9964-4bd5-9b8c-ef1324e02cd4" state_hub_task_id: "d2a81d7b-9964-4bd5-9b8c-ef1324e02cd4"
``` ```
@@ -383,6 +397,12 @@ for `platform-root`, `platform-admin`, `netkingdom-admin`, and
`railiance-platform-admin`. `tegwick` may receive delegated day-to-day admin `railiance-platform-admin`. `tegwick` may receive delegated day-to-day admin
roles later, but must be revocable without losing root custody. roles later, but must be revocable without losing root custody.
**2026-05-26:** Closed for the bootstrap identity scope: the dedicated
`platform-root` user is recorded as created, assigned to
`net-kingdom-admins`, stored outside this repo, enrolled for MFA, and verified
through KeyCape OIDC. Richer IAM-profile claims for ordinary user onboarding
remain part of the user-onboarding readiness work in `NET-WP-0017`.
### T06 - Bind OpenBao Admin Auth To NetKingdom IAM ### T06 - Bind OpenBao Admin Auth To NetKingdom IAM
```task ```task
@@ -396,11 +416,18 @@ Replace temporary operator tokens with NetKingdom IAM-backed OpenBao admin
auth when the issuer and claim mapping are ready. The OpenBao root token must auth when the issuer and claim mapping are ready. The OpenBao root token must
not be the normal admin path. not be the normal admin path.
**2026-05-26:** The KeyCape `openbao-admin` client is code-defined, patched
into the live `keycape-config` Secret, rolled out, and verified without
requiring decrypted bootstrap secrets. This task remains in progress because
OpenBao `auth/keycape` still needs the fixed helper command to complete and
the MFA-backed `bao login -method=oidc -path=keycape role=platform-admin` path
still needs verification.
### T07 - Verify Recovery, Audit, And Rotation ### T07 - Verify Recovery, Audit, And Rotation
```task ```task
id: NET-WP-0015-T07 id: NET-WP-0015-T07
status: todo status: in_progress
priority: medium priority: medium
state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539" state_hub_task_id: "aa40cbb4-36d3-405d-b59d-0c21ae8c9539"
``` ```
@@ -409,6 +436,11 @@ Confirm snapshot/restore drill, durable audit-log handling, root-token
disposition, unseal/recovery rotation expectations, and the follow-up owner disposition, unseal/recovery rotation expectations, and the follow-up owner
for adding at least one additional human escrow holder. for adding at least one additional human escrow holder.
**2026-05-26:** Root-token disposition, unseal-key rotation, post-unseal
verification, and restore-drill confirmation are recorded. This task remains
open for declarative audit configuration/durable audit shipping, residual
taint-response closeout, and the next independent escrow holder.
### T08 - Reset, Rotate, And Reopen Under King Oversight ### T08 - Reset, Rotate, And Reopen Under King Oversight
```task ```task

View File

@@ -0,0 +1,192 @@
---
id: NET-WP-0017
type: workplan
title: "IT Security Readiness For User Onboarding"
domain: netkingdom
repo: net-kingdom
status: active
owner: codex
topic_slug: netkingdom
created: "2026-05-26"
updated: "2026-05-26"
depends_on:
- NET-WP-0015
- NET-WP-0016
- RAIL-PL-WP-0002
---
# NET-WP-0017 - IT Security Readiness For User Onboarding
## Goal
Finish the remaining NetKingdom and Railiance security setup needed before
ordinary platform users, tenant admins, or fabric admins are onboarded.
`NET-WP-0015` established the king credential, OpenBao bootstrap ceremony, and
guided control surface. This workplan is the narrower finish-line plan: routine
admin access must use NetKingdom identity, bootstrap-era material must be
retired or explicitly accepted, audit/recovery posture must be credible, and a
first non-root onboarding dry run must prove the lifecycle model.
## Current Evidence
- `platform-root` exists in LLDAP, belongs to `net-kingdom-admins`, has MFA,
and completed KeyCape OIDC login.
- Railiance OpenBao is initialized, unsealed, and post-unseal verified.
- OpenBao initial configuration was applied; `platform/` KV and Kubernetes auth
exist.
- The initial OpenBao root token is recorded as revoked.
- Trial unseal shares were rotated.
- The KeyCape `openbao-admin` client is live and verified.
- OpenBao OIDC auth configuration and MFA-backed OpenBao admin login are still
pending.
- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
and the first ordinary-user onboarding dry run are still pending.
## Tasks
### T01 - Finish OIDC-Backed OpenBao Admin Login
```task
id: NET-WP-0017-T01
status: in_progress
priority: high
```
Run the fixed OpenBao OIDC helper, record the non-secret completion flag, then
verify `platform-root` can complete:
```bash
bao login -method=oidc -path=keycape role=platform-admin
```
The verification must prove the resulting OpenBao token has the intended
`platform-admin` policy without relying on the initial root token or a manually
minted temporary operator token.
### T02 - Close OpenBao Audit And Recovery Production Gates
```task
id: NET-WP-0017-T02
status: todo
priority: high
```
Resolve the remaining OpenBao production-trust gates:
- configure audit declaratively if API-managed audit remains rejected;
- confirm where audit logs are durably shipped beyond the audit PVC;
- retain non-secret restore-drill evidence and repeat the drill if any
material changed;
- record emergency seal/unseal drill evidence; and
- identify the next independent escrow holder for moving beyond temporary
single-king custody.
### T03 - Close Trial Taint And Retire Bootstrap Admin Paths
```task
id: NET-WP-0017-T03
status: todo
priority: high
```
Review all access paths created during the trial exposure and record the
compromise response complete only after the operator has either rotated,
revoked, reset, or explicitly accepted residual risk for:
- temporary OpenBao `platform-admin` tokens;
- bootstrap/root-token-derived paths;
- early LLDAP/Authelia/KeyCape admin credentials;
- local plaintext secret workspaces;
- bootstrap service tokens; and
- any copied command output or local shell history that may contain secret
values.
### T04 - Harden Bootstrap Infrastructure Before User Onboarding
```task
id: NET-WP-0017-T04
status: todo
priority: high
```
Complete the minimum hardening before ordinary users are onboarded:
- restrict direct administrative access to LLDAP and privacyIDEA to approved
operator networks or tunnels;
- verify no privileged login path bypasses MFA for platform-admin authority;
- rotate or reset bootstrap-era database, admin, and service credentials that
were created before custody was established;
- confirm host/workload checks and vulnerability scans are run or explicitly
deferred with owner/date; and
- update the bootstrap console state to `cleanup_complete` only when these
checks are recorded.
### T05 - Implement First User Lifecycle Operator Flow
```task
id: NET-WP-0017-T05
status: todo
priority: high
```
Turn the documented user lifecycle UX into the first practical operator flow
for:
- onboarding a scoped non-root user;
- temporarily locking that user;
- permanently offboarding that user;
- reviewing credentials and MFA state; and
- creating a fabric/tenant admin without platform-root authority.
The flow can begin as console/UI action cards, but it must show effective
access before saving and must not expose secrets.
### T06 - Run A Non-Root Onboarding Dry Run
```task
id: NET-WP-0017-T06
status: todo
priority: high
```
Create a test or first real non-root user using the new lifecycle flow. Verify:
- LLDAP identity and groups;
- MFA enrollment through privacyIDEA;
- KeyCape OIDC claims;
- expected application or platform scope;
- no platform-root or OpenBao root authority;
- lock/offboard path can be exercised or simulated; and
- non-secret audit/progress evidence is recorded.
This is the final gate before declaring the platform ready for normal user
onboarding.
### T07 - Review And Retire Superseded Bootstrap Workplans
```task
id: NET-WP-0017-T07
status: todo
priority: medium
```
After T01-T06 complete, review `NET-WP-0015`, `NET-WP-0016`,
`RAIL-PL-WP-0002`, and older NetKingdom credential/bootstrap workplans.
Mark completed work finished or archived, and leave only longer-horizon items
such as multi-custodian upgrade, enterprise federation, dynamic database
credentials, object-storage STS vending, and application onboarding contracts.
## Acceptance Criteria
- Routine OpenBao administration works through NetKingdom/KeyCape OIDC and MFA.
- The initial root token and temporary OpenBao admin tokens are not normal
operating paths.
- Audit, recovery, emergency seal, and restore evidence are recorded without
secret values.
- Bootstrap-era privileged credentials have been rotated, reset, revoked, or
explicitly accepted as residual risk.
- A non-root user onboarding dry run succeeds and proves lock/offboard/review
paths.
- The bootstrap console can honestly move beyond Admin Identity Integration
into cleanup and reopening.